add auth param

Signed-off-by: bigtea <tianqushen@huawei.com>

frameworks/account_iam/src/account_iam_callback_service.cpp

@@ -86,6 +86,19 @@ void GetEnrolledIdCallbackService::OnEnrolledId(int32_t result, uint64_t enrolle
     callback_->OnEnrolledId(result, enrolledId);
 }
 
+PreRemoteAuthCallbackService::PreRemoteAuthCallbackService(
+    const std::shared_ptr<PreRemoteAuthCallback> &callback) : callback_(callback)
+{}
+
+void PreRemoteAuthCallbackService::OnResult(int32_t result)
+{
+    if (callback_ == nullptr) {
+        ACCOUNT_LOGE("Callback is nullptr.");
+        return;
+    }
+    callback_->OnResult(result);
+}
+
 DomainAuthCallbackAdapter::DomainAuthCallbackAdapter(
     const std::shared_ptr<IDMCallback> &callback) : callback_(callback)
 {}
@@ -156,7 +169,8 @@ IAMInputer::IAMInputer(int32_t userId, const std::shared_ptr<IInputer> &inputer)
 IAMInputer::~IAMInputer()
 {}
 
-void IAMInputer::OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData)
+void IAMInputer::OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+    std::shared_ptr<IInputerData> inputerData)
 {
     if (inputerData == nullptr) {
         ACCOUNT_LOGE("inputerData is nullptr");
@@ -178,7 +192,7 @@ void IAMInputer::OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> in
         return;
     }
     auto iamInputerData = std::make_shared<IAMInputerData>(userId_, inputerData);
-    innerInputer_->OnGetData(authSubType, iamInputerData);
+    innerInputer_->OnGetData(authSubType, challenge, iamInputerData);
 }
 
 void IAMInputer::ResetInnerInputer(const std::shared_ptr<IInputer> &inputer)

frameworks/account_iam/src/account_iam_callback_stub.cpp

@@ -214,5 +214,35 @@ ErrCode GetEnrolledIdCallbackStub::ProcOnEnrolledId(MessageParcel &data, Message
     OnEnrolledId(result, enrolledId);
     return ERR_OK;
 }
+
+int PreRemoteAuthCallbackStub::OnRemoteRequest(
+    uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option)
+{
+    ACCOUNT_LOGD("Received stub message: %{public}d, callingUid: %{public}d, callingPid: %{public}d",
+        code, IPCSkeleton::GetCallingUid(), IPCSkeleton::GetCallingPid());
+    if (data.ReadInterfaceToken() != GetDescriptor()) {
+        ACCOUNT_LOGE("Check PreRemoteAuthCallbackStub descriptor failed, code=%{public}u.", code);
+        return ERR_ACCOUNT_COMMON_CHECK_DESCRIPTOR_ERROR;
+    }
+    switch (code) {
+        case static_cast<uint32_t>(PreRemoteAuthCallbackInterfaceCode::ON_RESULT):
+            return ProcOnResult(data, reply);
+        default:
+            break;
+    }
+    ACCOUNT_LOGW("Remote request unhandled: %{public}d.", code);
+    return IPCObjectStub::OnRemoteRequest(code, data, reply, option);
+}
+
+ErrCode PreRemoteAuthCallbackStub::ProcOnResult(MessageParcel &data, MessageParcel &reply)
+{
+    int32_t result;
+    if (!data.ReadInt32(result)) {
+        ACCOUNT_LOGE("Read result for PreRemoteAuthCallbackStub OnResult failed.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    OnResult(result);
+    return ERR_OK;
+}
 }  // namespace AccountSA
 }  // namespace OHOS

frameworks/account_iam/src/account_iam_client.cpp

@@ -187,19 +187,36 @@ uint64_t AccountIAMClient::StartDomainAuth(int32_t userId, const std::shared_ptr
         callback->OnResult(ERR_ACCOUNT_IAM_KIT_INPUTER_NOT_REGISTERED, emptyResult);
         return 0;
     }
-    domainInputer_->OnGetData(IAMAuthType::DOMAIN, std::make_shared<DomainCredentialRecipient>(userId, callback));
+    domainInputer_->OnGetData(IAMAuthType::DOMAIN, std::vector<uint8_t>(),
+        std::make_shared<DomainCredentialRecipient>(userId, callback));
     return 0;
 }
 #endif
 
-uint64_t AccountIAMClient::Auth(const std::vector<uint8_t> &challenge, AuthType authType,
-    AuthTrustLevel authTrustLevel, const std::shared_ptr<IDMCallback> &callback)
+int32_t AccountIAMClient::PrepareRemoteAuth(
+    const std::string &remoteNetworkId, const std::shared_ptr<PreRemoteAuthCallback> &callback)
 {
-    return AuthUser(0, challenge, authType, authTrustLevel, callback);
+    if (callback == nullptr) {
+        ACCOUNT_LOGE("Callback for PrepareRemoteAuth is nullptr.");
+        return ERR_ACCOUNT_COMMON_NULL_PTR_ERROR;
+    }
+    auto proxy = GetAccountIAMProxy();
+    if (proxy == nullptr) {
+        callback->OnResult(ERR_ACCOUNT_COMMON_GET_PROXY);
+        return ERR_ACCOUNT_COMMON_GET_PROXY;
+    }
+    sptr<IPreRemoteAuthCallback> wrapper = new (std::nothrow) PreRemoteAuthCallbackService(callback);
+    return proxy->PrepareRemoteAuth(remoteNetworkId, wrapper);
+}
+
+uint64_t AccountIAMClient::Auth(AuthOptions& authOptions, const std::vector<uint8_t> &challenge,
+    AuthType authType, AuthTrustLevel authTrustLevel, const std::shared_ptr<IDMCallback> &callback)
+{
+    return AuthUser(authOptions, challenge, authType, authTrustLevel, callback);
 }
 
 uint64_t AccountIAMClient::AuthUser(
-    int32_t userId, const std::vector<uint8_t> &challenge, AuthType authType,
+    AuthOptions &authOptions, const std::vector<uint8_t> &challenge, AuthType authType,
     AuthTrustLevel authTrustLevel, const std::shared_ptr<IDMCallback> &callback)
 {
     uint64_t contextId = 0;
@@ -211,20 +228,34 @@ uint64_t AccountIAMClient::AuthUser(
     if (proxy == nullptr) {
         return contextId;
     }
-    if ((userId == 0) && (!GetCurrentUserId(userId))) {
+    if ((authOptions.accountId == 0) && (!GetCurrentUserId(authOptions.accountId))) {
         return contextId;
     }
 #ifdef HAS_PIN_AUTH_PART
     if (static_cast<int32_t>(authType) == static_cast<int32_t>(IAMAuthType::DOMAIN)) {
-        return StartDomainAuth(userId, callback);
+        return StartDomainAuth(authOptions.accountId, callback);
     }
 #endif
-    sptr<IIDMCallback> wrapper = new (std::nothrow) IDMCallbackService(userId, callback);
+    sptr<IIDMCallback> wrapper = new (std::nothrow) IDMCallbackService(authOptions.accountId, callback);
     AuthParam authParam;
     authParam.challenge = challenge;
     authParam.authType = authType;
     authParam.authTrustLevel = authTrustLevel;
-    ErrCode result = proxy->AuthUser(userId, authParam, wrapper, contextId);
+    authParam.userId = authOptions.accountId;
+    authParam.authIntent = authOptions.authIntent;
+    if (authOptions.hasRemoteAuthOptions) {
+        authParam.remoteAuthParam = RemoteAuthParam();
+        if (authOptions.remoteAuthOptions.hasVerifierNetworkId) {
+            authParam.remoteAuthParam.value().verifierNetworkId = authOptions.remoteAuthOptions.verifierNetworkId;
+        }
+        if (authOptions.remoteAuthOptions.hasCollectorNetworkId) {
+            authParam.remoteAuthParam.value().collectorNetworkId = authOptions.remoteAuthOptions.collectorNetworkId;
+        }
+        if (authOptions.remoteAuthOptions.hasCollectorTokenId) {
+            authParam.remoteAuthParam.value().collectorTokenId = authOptions.remoteAuthOptions.collectorTokenId;
+        }
+    }
+    ErrCode result = proxy->AuthUser(authParam, wrapper, contextId);
     if (result != ERR_OK) {
         Attributes emptyResult;
         callback->OnResult(result, emptyResult);

frameworks/account_iam/src/account_iam_mgr_proxy.cpp

@@ -272,15 +272,46 @@ int32_t AccountIAMMgrProxy::GetCredentialInfo(
     return result;
 }
 
-ErrCode AccountIAMMgrProxy::AuthUser(
-    int32_t userId, const AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId)
+int32_t AccountIAMMgrProxy::PrepareRemoteAuth(
+    const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &callback)
 {
     if (callback == nullptr) {
-        ACCOUNT_LOGE("callback is nullptr");
-        return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
+        ACCOUNT_LOGE("Prepare remote auth callback is nullptr.");
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
     }
     MessageParcel data;
-    if (!WriteCommonData(data, userId)) {
+    if (!data.WriteInterfaceToken(GetDescriptor())) {
+        ACCOUNT_LOGE("Write descriptor failed.");
+        callback->OnResult(ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR);
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
+    }
+    if (!data.WriteString(remoteNetworkId)) {
+        ACCOUNT_LOGE("Write remoteNetworkId failed.");
+        callback->OnResult(ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR);
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
+    }
+    if (!data.WriteRemoteObject(callback->AsObject())) {
+        ACCOUNT_LOGE("Write callback failed.");
+        callback->OnResult(ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR);
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
+    }
+    MessageParcel reply;
+    int32_t result = SendRequest(AccountIAMInterfaceCode::PREPARE_REMOTE_AUTH, data, reply);
+    if (result != ERR_OK) {
+        callback->OnResult(result);
+        return result;
+    }
+
+    if (!reply.ReadInt32(result)) {
+        ACCOUNT_LOGE("Read result failed.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    return result;
+}
+
+bool AccountIAMMgrProxy::WriteAuthParam(MessageParcel &data, const AuthParam &authParam)
+{
+    if (!WriteCommonData(data, authParam.userId)) {
         return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
     }
     if (!data.WriteUInt8Vector(authParam.challenge)) {
@@ -295,10 +326,80 @@ ErrCode AccountIAMMgrProxy::AuthUser(
         ACCOUNT_LOGE("failed to write authTrustLevel");
         return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
     }
+    if (!data.WriteInt32(static_cast<int32_t>(authParam.authIntent))) {
+        ACCOUNT_LOGE("failed to write authTrustLevel");
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
+    }
+    return true;
+}
+
+bool AccountIAMMgrProxy::WriteRemoteAuthParam(MessageParcel &data,
+    const std::optional<RemoteAuthParam> &remoteAuthParam)
+{
+    bool res = (remoteAuthParam != std::nullopt);
+    if (!data.WriteBool(res)) {
+        ACCOUNT_LOGE("Write RemoteAuthParam exist failed.");
+        return false;
+    }
+    if (!res) {
+        return true;
+    }
+    res = (remoteAuthParam.value().verifierNetworkId != std::nullopt);
+    if (!data.WriteBool(res)) {
+        ACCOUNT_LOGE("Write verifierNetworkId exist failed.");
+        return false;
+    }
+    if (res) {
+        if (!data.WriteString(remoteAuthParam.value().verifierNetworkId.value())) {
+            ACCOUNT_LOGE("Write verifierNetworkId failed.");
+            return false;
+        }
+    }
+    res = (remoteAuthParam.value().collectorNetworkId != std::nullopt);
+    if (!data.WriteBool(res)) {
+        ACCOUNT_LOGE("Write collectorNetworkId exist failed.");
+        return false;
+    }
+    if (res) {
+        if (!data.WriteString(remoteAuthParam.value().collectorNetworkId.value())) {
+            ACCOUNT_LOGE("Write collectorNetworkId failed.");
+            return false;
+        }
+    }
+    res = (remoteAuthParam.value().collectorTokenId != std::nullopt);
+    if (!data.WriteBool(res)) {
+        ACCOUNT_LOGE("Write collectorTokenId exist failed.");
+        return false;
+    }
+    if (res) {
+        if (!data.WriteUint32(remoteAuthParam.value().collectorTokenId.value())) {
+            ACCOUNT_LOGE("Write collectorTokenId failed.");
+            return false;
+        }
+    }
+    return true;
+}
+
+ErrCode AccountIAMMgrProxy::AuthUser(
+    AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId)
+{
+    if (callback == nullptr) {
+        ACCOUNT_LOGE("callback is nullptr");
+        return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
+    }
+    MessageParcel data;
+    if (!WriteAuthParam(data, authParam)) {
+        ACCOUNT_LOGE("failed to write authParam");
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
+    }
     if (!data.WriteRemoteObject(callback->AsObject())) {
         ACCOUNT_LOGE("failed to write callback");
         return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
     }
+    if (!WriteRemoteAuthParam(data, authParam.remoteAuthParam)) {
+        ACCOUNT_LOGE("failed to write RemoteAuthParam");
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
+    }
     MessageParcel reply;
     ErrCode result = SendRequest(AccountIAMInterfaceCode::AUTH_USER, data, reply);
     if (result != ERR_OK) {

frameworks/account_iam/test/unittest/src/account_iam_callback_service_test.cpp

@@ -39,7 +39,8 @@ using namespace OHOS::Security::AccessToken;
 class MockIInputer : public OHOS::AccountSA::IInputer {
 public:
     virtual ~MockIInputer() {}
-    void OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData) override
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        std::shared_ptr<IInputerData> inputerData) override
     {
         return;
     }
@@ -188,7 +189,7 @@ HWTEST_F(AccountIAMCallbackServiceTest, IAMInputer_OnGetData_0100, TestSize.Leve
     auto iamInputerData = std::make_shared<IAMInputerData>(TEST_USER_ID, nullptr);
     EXPECT_TRUE(iamInputerData != nullptr);
     iamInputer->inputerData_ = nullptr;
-    iamInputer->OnGetData(authSubType, iamInputerData);
+    iamInputer->OnGetData(authSubType, std::vector<uint8_t>(), iamInputerData);
 }
 
 /**
@@ -205,7 +206,7 @@ HWTEST_F(AccountIAMCallbackServiceTest, IAMInputer_OnGetData_0200, TestSize.Leve
     int32_t authSubType = 0;
     auto iamInputerData = std::make_shared<IAMInputerData>(TEST_USER_ID, nullptr);
     EXPECT_TRUE(iamInputerData != nullptr);
-    iamInputer->OnGetData(authSubType, iamInputerData);
+    iamInputer->OnGetData(authSubType, std::vector<uint8_t>(), iamInputerData);
 }
 
 /**
@@ -220,7 +221,7 @@ HWTEST_F(AccountIAMCallbackServiceTest, IAMInputer_OnGetData_0300, TestSize.Leve
     auto iamInputer = std::make_shared<IAMInputer>(TEST_USER_ID, inputer);
     ASSERT_TRUE(iamInputer != nullptr);
     int32_t authSubType = 0;
-    iamInputer->OnGetData(authSubType, nullptr);
+    iamInputer->OnGetData(authSubType, std::vector<uint8_t>(), nullptr);
     std::string cmd = "hilog -x | grep 'AccountIAMFwk'";
     std::string cmdRes = RunCommand(cmd);
     ASSERT_TRUE(cmdRes.find("inputerData is nullptr") != std::string::npos);

frameworks/account_iam/test/unittest/src/account_iam_client_no_permission_test.cpp

@@ -81,7 +81,8 @@ public:
 class MockIInputer : public OHOS::AccountSA::IInputer {
 public:
     virtual ~MockIInputer() {}
-    void OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData) override
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        std::shared_ptr<IInputerData> inputerData) override
     {
         return;
     }
@@ -304,8 +305,10 @@ HWTEST_F(AccountIAMClientNoPermissionTest, AccountIAMClientNoPermission_AuthUser
     SetPropertyRequest testRequest = {};
     auto callback = std::make_shared<MockIDMCallback>();
     ASSERT_NE(callback, nullptr);
+    AuthOptions authOptions;
+    authOptions.accountId = TEST_USER_ID;
     int32_t res = AccountIAMClient::GetInstance().AuthUser(
-        TEST_USER_ID, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, callback);
+        authOptions, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, callback);
     EXPECT_EQ(res, ERR_OK);
 }
 

frameworks/account_iam/test/unittest/src/account_iam_client_test.cpp

@@ -123,7 +123,8 @@ HapInfoParams infoManagerTestSystemInfoParms = {
 class MockIInputer : public OHOS::AccountSA::IInputer {
 public:
     virtual ~MockIInputer() {}
-    void OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData) override
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        std::shared_ptr<IInputerData> inputerData) override
     {
         return;
     }
@@ -181,7 +182,8 @@ private:
 #ifdef HAS_PIN_AUTH_PART
 class TestIInputer : public OHOS::AccountSA::IInputer {
 public:
-    void OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData) override
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        std::shared_ptr<IInputerData> inputerData) override
     {
         if (inputerData != nullptr) {
             inputerData->OnSetData(authSubType, {0, 0, 0, 0, 0, 0});
@@ -554,15 +556,19 @@ HWTEST_F(AccountIAMClientTest, AccountIAMClient_AuthUser_0100, TestSize.Level0)
     EXPECT_NE(callback, nullptr);
     EXPECT_CALL(*callback, OnResult(_, _)).Times(Exactly(2));
     auto testCallback = std::make_shared<TestIDMCallback>(callback);
-    AccountIAMClient::GetInstance().AuthUser(0, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback);
+    AuthOptions authOptionsOne;
+    AccountIAMClient::GetInstance().AuthUser(
+        authOptionsOne, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback);
     {
         std::unique_lock<std::mutex> lock(testCallback->mutex);
         testCallback->cv.wait_for(
             lock, std::chrono::seconds(WAIT_TIME), [lockCallback = testCallback]() { return lockCallback->isReady; });
     }
     testCallback->isReady = false;
+    AuthOptions authOptionsTwo;
+    authOptionsTwo.accountId = TEST_USER_ID;
     AccountIAMClient::GetInstance().AuthUser(
-        TEST_USER_ID, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback);
+        authOptionsTwo, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback);
     {
         std::unique_lock<std::mutex> lock(testCallback->mutex);
         testCallback->cv.wait_for(
@@ -578,8 +584,9 @@ HWTEST_F(AccountIAMClientTest, AccountIAMClient_AuthUser_0100, TestSize.Level0)
  */
 HWTEST_F(AccountIAMClientTest, AccountIAMClient_AuthUser_0200, TestSize.Level0)
 {
+    AuthOptions authOptions;
     uint64_t ret = AccountIAMClient::GetInstance().AuthUser(
-        0, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, nullptr);
+        authOptions, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, nullptr);
     EXPECT_EQ(ret, 0);
 }
 
@@ -596,7 +603,9 @@ HWTEST_F(AccountIAMClientTest, AccountIAMClient_Auth_0100, TestSize.Level0)
     EXPECT_NE(callback, nullptr);
     EXPECT_CALL(*callback, OnResult(_, _)).Times(Exactly(1));
     auto testCallback = std::make_shared<TestIDMCallback>(callback);
-    AccountIAMClient::GetInstance().Auth(TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback);
+    AuthOptions authOptions;
+    AccountIAMClient::GetInstance().Auth(authOptions,
+        TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback);
     std::unique_lock<std::mutex> lock(testCallback->mutex);
     testCallback->cv.wait_for(
         lock, std::chrono::seconds(WAIT_TIME), [lockCallback = testCallback]() { return lockCallback->isReady; });

frameworks/account_iam/test/unittest/src/account_iam_mgr_proxy_test.cpp

@@ -85,7 +85,8 @@ HWTEST_F(AccountIAMMgrProxyTest, AccountIAMMgrProxy001, TestSize.Level0)
     std::vector<uint8_t> challenge;
     CredentialParameters credInfo;
     const std::vector<uint8_t> authToken = {0, 0};
-    AuthParam authParam;
+    AccountSA::AuthParam authParam;
+    authParam.userId = TEST_USER_ID;
     uint64_t contextId;
     GetPropertyRequest g_request;
     SetPropertyRequest s_request;
@@ -103,7 +104,7 @@ HWTEST_F(AccountIAMMgrProxyTest, AccountIAMMgrProxy001, TestSize.Level0)
 
     int32_t ret = accountIAMMgrProxy->GetCredentialInfo(TEST_USER_ID, AuthType::ALL, nullptr);
     EXPECT_EQ(ERR_ACCOUNT_COMMON_INVALID_PARAMETER, ret);
-    ret = accountIAMMgrProxy->AuthUser(TEST_USER_ID, authParam, nullptr, contextId);
+    ret = accountIAMMgrProxy->AuthUser(authParam, nullptr, contextId);
     EXPECT_EQ(ERR_ACCOUNT_COMMON_INVALID_PARAMETER, ret);
 }
 }  // namespace AccountTest

frameworks/common/include/accountmgr_service_ipc_interface_code.h

@@ -159,6 +159,7 @@ enum class AccountIAMInterfaceCode : uint32_t {
     DEL_CRED,
     DEL_USER,
     GET_CREDENTIAL_INFO,
+    PREPARE_REMOTE_AUTH,
     AUTH_USER,
     CANCEL_AUTH,
     GET_AVAILABLE_STATUS,
@@ -263,6 +264,10 @@ enum class GetSetPropCallbackInterfaceCode : uint32_t {
 enum class GetEnrolledIdCallbackInterfaceCode : uint32_t {
     ON_ENROLLED_ID = 0,
 };
+
+enum class PreRemoteAuthCallbackInterfaceCode : uint32_t {
+    ON_RESULT = 0,
+};
 }  // namespace AccountSA
 }  // namespace OHOS
 #endif // OS_ACCOUNT_FRAMEWORK_ACCOUNTMGR_SERVICE_IPC_INTERFACE_CODE_H

frameworks/test/unittest/account_iam_proxy_mock_test.cpp

@@ -194,8 +194,10 @@ HWTEST_F(AccountIAMProxyMockTest, AccountIAMClient_AuthUser_0100, TestSize.Level
     SetPropertyRequest testRequest = {};
     auto testCallback = std::make_shared<IDMCallbackMockTest>();
     ASSERT_NE(testCallback, nullptr);
+    AuthOptions authOptions;
+    authOptions.accountId = TEST_USER_ID;
     ASSERT_EQ(static_cast<uint64_t>(0), AccountIAMClient::GetInstance().AuthUser(
-        TEST_USER_ID, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback));
+        authOptions, TEST_CHALLENGE, AuthType::PIN, AuthTrustLevel::ATL1, testCallback));
 }
 
 /**

interfaces/innerkits/account_iam/native/include/account_iam_callback_service.h

@@ -66,6 +66,16 @@ private:
     DISALLOW_COPY_AND_MOVE(GetEnrolledIdCallbackService);
 };
 
+class PreRemoteAuthCallbackService : public PreRemoteAuthCallbackStub {
+public:
+    explicit PreRemoteAuthCallbackService(const std::shared_ptr<PreRemoteAuthCallback> &callback);
+    void OnResult(int32_t result) override;
+
+private:
+    std::shared_ptr<PreRemoteAuthCallback> callback_;
+    DISALLOW_COPY_AND_MOVE(PreRemoteAuthCallbackService);
+};
+
 class DomainAuthCallbackAdapter final : public DomainAccountCallback {
 public:
     explicit DomainAuthCallbackAdapter(const std::shared_ptr<IDMCallback> &callback);
@@ -104,7 +114,8 @@ public:
     IAMInputer(int32_t userId, const std::shared_ptr<IInputer> &inputer);
     virtual ~IAMInputer();
 
-    void OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData) override;
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        std::shared_ptr<IInputerData> inputerData) override;
     void ResetInnerInputer(const std::shared_ptr<IInputer> &inputer);
 private:
     int32_t userId_;

interfaces/innerkits/account_iam/native/include/account_iam_callback_stub.h

@@ -62,6 +62,16 @@ public:
 private:
     ErrCode ProcOnEnrolledId(MessageParcel &data, MessageParcel &reply);
 };
+
+class PreRemoteAuthCallbackStub : public IRemoteStub<IPreRemoteAuthCallback> {
+public:
+    PreRemoteAuthCallbackStub() {};
+    int OnRemoteRequest(
+        uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option) override;
+
+private:
+    ErrCode ProcOnResult(MessageParcel &data, MessageParcel &reply);
+};
 }  // namespace AccountSA
 }  // namespace OHOS
 #endif  // OS_ACCOUNT_INTERFACES_INNERKITS_ACCOUNT_IAM_NATIVE_INCLUDE_ACCOUNT_IAM_CALLBACK_STUB_H

interfaces/innerkits/account_iam/native/include/account_iam_client.h

@@ -133,28 +133,39 @@ public:
     int32_t GetCredentialInfo(int32_t userId, AuthType authType, const std::shared_ptr<GetCredInfoCallback> &callback);
 
     /**
-     * @brief Executes user authentication.
+     * @brief Prepare remote auth.
      * @permission ohos.permission.ACCESS_USER_AUTH_INTERNAL
-     * @param challenge - Indicates the challenge value.
-     * @param authType - Indicates the authentication type.
-     * @param authTrustLevel - Indicates the trust level of authentication result.
-     * @param callback - Indicates the callback to get result and acquireInfo.
-     * @return a context ID for cancellation.
+     * @param remoteNetworkId - Indicates the remote network id.
+     * @param callback - Indicates the callback for getting result.
+     * @return error code, see account_error_no.h
      */
-    uint64_t Auth(const std::vector<uint8_t> &challenge, AuthType authType, AuthTrustLevel authTrustLevel,
-        const std::shared_ptr<IDMCallback> &callback);
+    int32_t PrepareRemoteAuth(
+        const std::string &remoteNetworkId, const std::shared_ptr<PreRemoteAuthCallback> &callback);
 
     /**
      * @brief Executes user authentication.
      * @permission ohos.permission.ACCESS_USER_AUTH_INTERNAL
-     * @param userId - Indicates the user identification.
+     * @param authOptions - Indicates the AuthOptions.
      * @param challenge - Indicates the challenge value.
      * @param authType - Indicates the authentication type.
      * @param authTrustLevel - Indicates the trust level of authentication result.
      * @param callback - Indicates the callback to get result and acquireInfo.
      * @return a context ID for cancellation.
      */
-    uint64_t AuthUser(int32_t userId, const std::vector<uint8_t> &challenge, AuthType authType,
+    uint64_t Auth(AuthOptions& authOptions, const std::vector<uint8_t> &challenge, AuthType authType,
+        AuthTrustLevel authTrustLevel, const std::shared_ptr<IDMCallback> &callback);
+
+    /**
+     * @brief Executes user authentication.
+     * @permission ohos.permission.ACCESS_USER_AUTH_INTERNAL
+     * @param authOptions - Indicates the AuthOptions.
+     * @param challenge - Indicates the challenge value.
+     * @param authType - Indicates the authentication type.
+     * @param authTrustLevel - Indicates the trust level of authentication result.
+     * @param callback - Indicates the callback to get result and acquireInfo.
+     * @return a context ID for cancellation.
+     */
+    uint64_t AuthUser(AuthOptions &authOptions, const std::vector<uint8_t> &challenge, AuthType authType,
         AuthTrustLevel authTrustLevel, const std::shared_ptr<IDMCallback> &callback);
 
     /**

interfaces/innerkits/account_iam/native/include/account_iam_client_callback.h

@@ -40,6 +40,11 @@ class GetEnrolledIdCallback {
 public:
     virtual void OnEnrolledId(int32_t result, uint64_t enrolledId) = 0;
 };
+
+class PreRemoteAuthCallback {
+public:
+    virtual void OnResult(int32_t result) = 0;
+};
 }  // namespace AccountSA
 }  // namespace OHOS
 #endif  // OS_ACCOUNT_INTERFACES_INNERKITS_ACCOUNT_IAM_NATIVE_INCLUDE_ACCOUNT_IAM_CLIENT_CALLBACK_H

interfaces/innerkits/account_iam/native/include/account_iam_info.h

@@ -51,6 +51,7 @@ typedef UserIam::UserAuth::CredentialParameters CredentialParameters;
 typedef UserIam::UserAuth::CredentialInfo CredentialInfo;
 typedef UserIam::UserAuth::GetSecUserInfoCallback GetSecUserInfoCallback;
 typedef UserIam::UserAuth::GetCredentialInfoCallback GetCredentialInfoCallback;
+typedef UserIam::UserAuth::PrepareRemoteAuthCallback PrepareRemoteAuthCallback;
 
 enum IAMAuthType {
     DOMAIN = 1024,
@@ -81,10 +82,41 @@ struct CredentialItem {
     std::vector<uint8_t> credential;
 };
 
+enum AuthIntent : int32_t {
+    DEFAULT = 0,
+    UNLOCK = 1,
+    INIT = 2,
+};
+
+struct RemoteAuthParam {
+    std::optional<std::string> verifierNetworkId;
+    std::optional<std::string> collectorNetworkId;
+    std::optional<uint32_t> collectorTokenId;
+};
+
 struct AuthParam {
+    int32_t userId = 0;
     std::vector<uint8_t> challenge;
     AuthType authType;
     AuthTrustLevel authTrustLevel;
+    AuthIntent authIntent = AuthIntent::DEFAULT;
+    std::optional<RemoteAuthParam> remoteAuthParam;
+};
+
+struct RemoteAuthOptions {
+    std::string verifierNetworkId;
+    std::string collectorNetworkId;
+    uint32_t collectorTokenId;
+    bool hasVerifierNetworkId = false;
+    bool hasCollectorNetworkId = false;
+    bool hasCollectorTokenId = false;
+};
+
+struct AuthOptions {
+    int32_t accountId = 0;
+    AuthIntent authIntent = AuthIntent::DEFAULT;
+    RemoteAuthOptions remoteAuthOptions;
+    bool hasRemoteAuthOptions = false;
 };
 }  // namespace AccountSA
 }  // namespace OHOS

interfaces/innerkits/account_iam/native/include/account_iam_mgr_proxy.h

@@ -40,8 +40,9 @@ public:
     void DelUser(int32_t userId, const std::vector<uint8_t> &authToken, const sptr<IIDMCallback> &callback) override;
     int32_t GetCredentialInfo(
         int32_t userId, AuthType authType, const sptr<IGetCredInfoCallback> &callback) override;
-    int32_t AuthUser(
-        int32_t userId, const AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId) override;
+    int32_t PrepareRemoteAuth(
+        const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &callback) override;
+    int32_t AuthUser(AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId) override;
     int32_t CancelAuth(uint64_t contextId) override;
     int32_t GetAvailableStatus(const AuthType authType, const AuthTrustLevel authTrustLevel, int32_t &status) override;
     void GetProperty(
@@ -56,6 +57,8 @@ private:
     void AddOrUpdateCredential(int32_t userId, const CredentialParameters &credInfo,
         const sptr<IIDMCallback> &callback, bool isAdd);
     bool WriteCommonData(MessageParcel &data, int32_t userId);
+    bool WriteAuthParam(MessageParcel &data, const AuthParam &authParam);
+    bool WriteRemoteAuthParam(MessageParcel &data, const std::optional<RemoteAuthParam> &remoteAuthParam);
 
 private:
     static inline BrokerDelegator<AccountIAMMgrProxy> delegator_;

interfaces/innerkits/account_iam/native/include/iaccount_iam.h

@@ -41,8 +41,9 @@ public:
         int32_t userId, const std::vector<uint8_t> &authToken, const sptr<IIDMCallback> &callback) = 0;
     virtual int32_t GetCredentialInfo(
         int32_t userId, AuthType authType, const sptr<IGetCredInfoCallback> &callback) = 0;
-    virtual int32_t AuthUser(
-        int32_t userId, const AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId) = 0;
+    virtual int32_t PrepareRemoteAuth(
+        const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &callback) = 0;
+    virtual int32_t AuthUser(AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId) = 0;
     virtual int32_t CancelAuth(uint64_t contextId) = 0;
     virtual int32_t GetAvailableStatus(AuthType authType, AuthTrustLevel authTrustLevel, int32_t &status) = 0;
     virtual void GetProperty(

interfaces/innerkits/account_iam/native/include/iaccount_iam_callback.h

@@ -47,6 +47,12 @@ public:
     DECLARE_INTERFACE_DESCRIPTOR(u"ohos.accountfwk.IGetEnrolledIdCallback");
     virtual void OnEnrolledId(int32_t result, uint64_t enrolledId) = 0;
 };
+
+class IPreRemoteAuthCallback : public IRemoteBroker {
+public:
+    DECLARE_INTERFACE_DESCRIPTOR(u"ohos.accountfwk.IPreRemoteAuthCallback");
+    virtual void OnResult(int32_t result) = 0;
+};
 }  // namespace AccountSA
 }  // OHOS
 #endif  // OS_ACCOUNT_INTERFACES_INNERKITS_ACCOUNT_IAM_NATIVE_INCLUDE_ACCOUNT_IAM_CALLBACK_H

interfaces/kits/napi/account_iam/include/napi_account_iam_common.h

@@ -39,6 +39,7 @@ constexpr size_t PARAM_ONE = 1;
 constexpr size_t PARAM_TWO = 2;
 constexpr size_t PARAM_THREE = 3;
 constexpr size_t PARAM_FOUR = 4;
+constexpr size_t PARAM_FIVE = 5;
 
 int32_t AccountIAMConvertToJSErrCode(int32_t errCode);
 
@@ -84,9 +85,30 @@ struct AuthContext {
     int32_t trustLevel = -1;
     bool throwErr = true;
     std::vector<uint8_t> challenge;
+    AccountSA::AuthOptions authOptions;
     std::shared_ptr<AccountSA::IDMCallback> callback;
 };
 
+struct PrepareRemoteAuthContext : public CommonAsyncContext {
+    explicit PrepareRemoteAuthContext(napi_env napiEnv) : CommonAsyncContext(napiEnv) {};
+    int32_t result = 0;
+    std::string remoteNetworkId;
+};
+
+class NapiPrepareRemoteAuthCallback : public AccountSA::PreRemoteAuthCallback {
+public:
+    explicit NapiPrepareRemoteAuthCallback(napi_env env, napi_ref callbackRef, napi_deferred deferred);
+    virtual ~NapiPrepareRemoteAuthCallback();
+
+    void OnResult(int32_t result) override;
+
+private:
+    napi_env env_ = nullptr;
+    napi_ref callbackRef_ = nullptr;
+    napi_deferred deferred_ = nullptr;
+    std::mutex mutex_;
+};
+
 struct IDMContext : public CommonAsyncContext {
     IDMContext(napi_env napiEnv) : CommonAsyncContext(napiEnv) {};
     bool throwErr = true;
@@ -214,6 +236,7 @@ private:
 #ifdef HAS_PIN_AUTH_PART
 struct InputerContext : public CommonAsyncContext {
     int32_t authSubType = -1;
+    std::vector<uint8_t> challenge;
     std::shared_ptr<AccountSA::IInputerData> inputerData = nullptr;
     std::shared_ptr<NapiCallbackRef> callback;
 };
@@ -223,7 +246,8 @@ public:
     NapiGetDataCallback(napi_env env, const std::shared_ptr<NapiCallbackRef> &callback);
     virtual ~NapiGetDataCallback();
 
-    void OnGetData(int32_t authSubType, const std::shared_ptr<AccountSA::IInputerData> inputerData) override;
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        const std::shared_ptr<AccountSA::IInputerData> inputerData) override;
 
 private:
     napi_env env_;

interfaces/kits/napi/account_iam/include/napi_account_iam_user_auth.h

@@ -34,6 +34,7 @@ private:
     static napi_value Auth(napi_env env, napi_callback_info info);
     static napi_value AuthUser(napi_env env, napi_callback_info info);
     static napi_value CancelAuth(napi_env env, napi_callback_info info);
+    static napi_value PrepareRemoteAuth(napi_env env, napi_callback_info info);
 };
 }  // namespace AccountJsKit
 }  // namespace OHOS

interfaces/kits/napi/account_iam/src/napi_account_iam_common.cpp

@@ -761,6 +761,74 @@ NapiSetPropCallback::~NapiSetPropCallback()
     deferred_ = nullptr;
 }
 
+NapiPrepareRemoteAuthCallback::NapiPrepareRemoteAuthCallback(napi_env env, napi_ref callbackRef, napi_deferred deferred)
+    : env_(env), callbackRef_(callbackRef), deferred_(deferred)
+{}
+
+NapiPrepareRemoteAuthCallback::~NapiPrepareRemoteAuthCallback()
+{
+    if (callbackRef_ != nullptr) {
+        ReleaseNapiRefAsync(env_, callbackRef_);
+        callbackRef_ = nullptr;
+    }
+    deferred_ = nullptr;
+}
+
+static void OnPrepareRemoteAuthWork(uv_work_t* work, int status)
+{
+    std::unique_ptr<uv_work_t> workPtr(work);
+    napi_handle_scope scope = nullptr;
+    if (!InitUvWorkCallbackEnv(work, scope)) {
+        return;
+    }
+    std::unique_ptr<PrepareRemoteAuthContext> context(reinterpret_cast<PrepareRemoteAuthContext *>(work->data));
+    napi_env env = context->env;
+    napi_value errJs = nullptr;
+    napi_value dataJs = nullptr;
+    context->errCode = context->result;
+    if (context->result != ERR_OK) {
+        int32_t jsErrCode = AccountIAMConvertToJSErrCode(context->result);
+        errJs = GenerateBusinessError(env, jsErrCode, ConvertToJsErrMsg(jsErrCode));
+        napi_get_null(env, &dataJs);
+    } else {
+        napi_get_null(env, &errJs);
+        napi_get_null(env, &dataJs);
+    }
+    CallbackAsyncOrPromise(env, context.get(), errJs, dataJs);
+    napi_close_handle_scope(env, scope);
+}
+
+void NapiPrepareRemoteAuthCallback::OnResult(int32_t result)
+{
+    std::lock_guard<std::mutex> lock(mutex_);
+    if ((callbackRef_ == nullptr) && (deferred_ == nullptr)) {
+        return;
+    }
+    std::unique_ptr<uv_work_t> work = std::make_unique<uv_work_t>();
+    std::unique_ptr<PrepareRemoteAuthContext> context = std::make_unique<PrepareRemoteAuthContext>(env_);
+    uv_loop_s *loop = nullptr;
+    napi_get_uv_event_loop(env_, &loop);
+    if (loop == nullptr || work == nullptr || context == nullptr) {
+        ACCOUNT_LOGE("Nullptr fail.");
+        return;
+    }
+    context->deferred = deferred_;
+    context->errCode = ERR_OK;
+    context->result = result;
+    work->data = reinterpret_cast<void *>(context.get());
+    ErrCode ret = uv_queue_work_with_qos(
+        loop, work.get(), [] (uv_work_t *work) {}, OnPrepareRemoteAuthWork, uv_qos_user_initiated);
+    if (ret != ERR_OK) {
+        context->callbackRef = nullptr;
+        ACCOUNT_LOGE("Create uv work failed.");
+        return;
+    }
+    ACCOUNT_LOGI("Create prepare remote auth work finish.");
+    deferred_ = nullptr;
+    work.release();
+    context.release();
+}
+
 static void OnSetPropertyWork(uv_work_t* work, int status)
 {
     std::unique_ptr<uv_work_t> workPtr(work);
@@ -928,10 +996,18 @@ static void OnGetDataWork(uv_work_t* work, int status)
         return;
     }
     std::unique_ptr<InputerContext> context(reinterpret_cast<InputerContext *>(work->data));
-    napi_value argv[ARG_SIZE_TWO] = {0};
+    napi_value argv[ARG_SIZE_THREE] = {0};
     napi_create_int32(context->env, context->authSubType, &argv[PARAM_ZERO]);
     GetInputerInstance(context.get(), &argv[PARAM_ONE]);
-    NapiCallVoidFunction(context->env, argv, ARG_SIZE_TWO, context->callback->callbackRef);
+
+    napi_create_object(context->env, &argv[PARAM_TWO]);
+    if (!(context->challenge.empty())) {
+        napi_value dataJs = nullptr;
+        dataJs = CreateUint8Array(context->env, context->challenge.data(), context->challenge.size());
+        napi_set_named_property(context->env, argv[PARAM_TWO], "challenge", dataJs);
+    }
+
+    NapiCallVoidFunction(context->env, argv, ARG_SIZE_THREE, context->callback->callbackRef);
 }
 
 NapiGetDataCallback::NapiGetDataCallback(napi_env env, const std::shared_ptr<NapiCallbackRef> &callback)
@@ -941,7 +1017,8 @@ NapiGetDataCallback::NapiGetDataCallback(napi_env env, const std::shared_ptr<Nap
 NapiGetDataCallback::~NapiGetDataCallback()
 {}
 
-void NapiGetDataCallback::OnGetData(int32_t authSubType, const std::shared_ptr<AccountSA::IInputerData> inputerData)
+void NapiGetDataCallback::OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+    const std::shared_ptr<AccountSA::IInputerData> inputerData)
 {
     if (callback_ == nullptr) {
         ACCOUNT_LOGE("the onGetData function is undefined");
@@ -958,6 +1035,7 @@ void NapiGetDataCallback::OnGetData(int32_t authSubType, const std::shared_ptr<A
     context->env = env_;
     context->callback = callback_;
     context->authSubType = authSubType;
+    context->challenge = challenge;
     context->inputerData = inputerData;
     work->data = reinterpret_cast<void *>(context.get());
     int errCode = uv_queue_work_with_qos(

interfaces/kits/napi/account_iam/src/napi_account_iam_constant.cpp

@@ -272,6 +272,16 @@ napi_value FingerprintTipsConstructorForInnerkits(napi_env env)
     return fingerprintTips;
 }
 
+napi_value AuthIntentConstructorForInnerkits(napi_env env)
+{
+    napi_value authIntent = nullptr;
+    napi_value unlock = nullptr;
+    NAPI_CALL(env, napi_create_object(env, &authIntent));
+    NAPI_CALL(env, napi_create_int32(env, static_cast<int32_t>(AuthIntent::UNLOCK), &unlock));
+    NAPI_CALL(env, napi_set_named_property(env, authIntent, "UNLOCK", unlock));
+    return authIntent;
+}
+
 napi_value NapiAccountIAMConstant::Init(napi_env env, napi_value exports)
 {
     napi_property_descriptor descriptors[] = {
@@ -285,6 +295,7 @@ napi_value NapiAccountIAMConstant::Init(napi_env env, napi_value exports)
         DECLARE_NAPI_PROPERTY("ResultCode", ResultCodeConstructor(env)),
         DECLARE_NAPI_PROPERTY("FaceTipsCode", FaceTipsCodeConstructor(env)),
         DECLARE_NAPI_PROPERTY("FingerprintTips", FingerprintTipsConstructorForInnerkits(env)),
+        DECLARE_NAPI_PROPERTY("AuthIntent", AuthIntentConstructorForInnerkits(env)),
     };
     napi_define_properties(env, exports, sizeof(descriptors) / sizeof(napi_property_descriptor), descriptors);
     return exports;

interfaces/kits/napi/account_iam/src/napi_account_iam_user_auth.cpp

@@ -36,6 +36,7 @@ napi_value NapiAccountIAMUserAuth::Init(napi_env env, napi_value exports)
         DECLARE_NAPI_FUNCTION("auth", Auth),
         DECLARE_NAPI_FUNCTION("authUser", AuthUser),
         DECLARE_NAPI_FUNCTION("cancelAuth", CancelAuth),
+        DECLARE_NAPI_FUNCTION("prepareRemoteAuth", PrepareRemoteAuth),
     };
     NAPI_CALL(env, napi_define_class(env, "UserAuth", NAPI_AUTO_LENGTH, JsConstructor,
         nullptr, sizeof(clzDes) / sizeof(napi_property_descriptor), clzDes, &cons));
@@ -211,10 +212,86 @@ napi_value NapiAccountIAMUserAuth::SetProperty(napi_env env, napi_callback_info
     return result;
 }
 
+static bool ParseContextForRemoteAuthOptions(napi_env env, napi_value jsOptions, RemoteAuthOptions &remoteAuthOptions)
+{
+    napi_valuetype valueType = napi_undefined;
+    napi_typeof(env, jsOptions, &valueType);
+    if (valueType != napi_object) {
+        ACCOUNT_LOGE("Invalid object.");
+        return false;
+    }
+    if (IsOptionalPropertyExist(env, jsOptions, "verifierNetworkId")) {
+        remoteAuthOptions.hasVerifierNetworkId = true;
+        if (!GetOptionalStringPropertyByKey(
+            env, jsOptions, "verifierNetworkId", remoteAuthOptions.verifierNetworkId)) {
+            ACCOUNT_LOGE("Get remoteAuthOptions's verifierNetworkId failed.");
+            return false;
+        }
+    }
+    if (IsOptionalPropertyExist(env, jsOptions, "collectorNetworkId")) {
+        remoteAuthOptions.hasCollectorNetworkId = true;
+        if (!GetOptionalStringPropertyByKey(
+            env, jsOptions, "collectorNetworkId", remoteAuthOptions.collectorNetworkId)) {
+            ACCOUNT_LOGE("Get remoteAuthOptions's collectorNetworkId failed.");
+            return false;
+        }
+    }
+    if (IsOptionalPropertyExist(env, jsOptions, "collectorTokenId")) {
+        remoteAuthOptions.hasCollectorTokenId = true;
+        int32_t tokenId = 0;
+        if (!GetOptionalNumberPropertyByKey(env, jsOptions, "collectorTokenId", tokenId)) {
+            ACCOUNT_LOGE("Get remoteAuthOptions's collectorTokenId failed.");
+            return false;
+        }
+        remoteAuthOptions.collectorTokenId = static_cast<uint32_t>(tokenId);
+    }
+    return true;
+}
+
+static bool ParseContextForAuthOptions(napi_env env, napi_value jsOptions, AuthOptions &authOptions)
+{
+    napi_valuetype valueType = napi_undefined;
+    napi_typeof(env, jsOptions, &valueType);
+    if (valueType != napi_object) {
+        ACCOUNT_LOGE("Invalid object.");
+        return false;
+    }
+    if (IsOptionalPropertyExist(env, jsOptions, "accountId")) {
+        if (!GetOptionalNumberPropertyByKey(env, jsOptions, "accountId", authOptions.accountId)) {
+            ACCOUNT_LOGE("Get authOptions's accountId failed.");
+            return false;
+        }
+    }
+    if (IsOptionalPropertyExist(env, jsOptions, "authIntent")) {
+        int32_t authIntent = 0;
+        if (!GetOptionalNumberPropertyByKey(env, jsOptions, "authIntent", authIntent)) {
+            ACCOUNT_LOGE("Get authOptions's authIntent failed.");
+            return false;
+        }
+        authOptions.authIntent = static_cast<AuthIntent>(authIntent);
+    }
+    if (IsOptionalPropertyExist(env, jsOptions, "remoteAuthOptions")) {
+        napi_value value = nullptr;
+        NAPI_CALL_BASE(env, napi_get_named_property(env, jsOptions, "remoteAuthOptions", &value), false);
+        valueType = napi_undefined;
+        NAPI_CALL_BASE(env, napi_typeof(env, value, &valueType), false);
+        if (valueType != napi_object) {
+            ACCOUNT_LOGE("Invalid object.");
+            return false;
+        }
+        authOptions.hasRemoteAuthOptions = true;
+        if (!ParseContextForRemoteAuthOptions(env, value, authOptions.remoteAuthOptions)) {
+            ACCOUNT_LOGE("Parse authOptions failed.");
+            return false;
+        }
+    }
+    return true;
+}
+
 static napi_status ParseContextForAuth(napi_env env, napi_value *argv, size_t argc, AuthContext &context)
 {
-    if (argc != ARG_SIZE_FOUR) {
-        ACCOUNT_LOGE("the number of parameter is incorrect, expect 4, but got %{public}zu", argc);
+    if (argc != ARG_SIZE_FOUR && argc != ARG_SIZE_FIVE) {
+        ACCOUNT_LOGE("the number of parameter is incorrect, expect 4 or 5, but got %{public}zu", argc);
         return napi_invalid_arg;
     }
     size_t index = 0;
@@ -236,6 +313,12 @@ static napi_status ParseContextForAuth(napi_env env, napi_value *argv, size_t ar
         AccountNapiThrow(env, ERR_JS_PARAMETER_ERROR, errMsg, true);
         return napi_invalid_arg;
     }
+    if (argc == PARAM_FIVE) {
+        if (!ParseContextForAuthOptions(env, argv[index++], context.authOptions)) {
+            ACCOUNT_LOGE("fail to parse authOptions");
+            return napi_invalid_arg;
+        }
+    }
     std::shared_ptr<JsIAMCallback> jsCallback = std::make_shared<JsIAMCallback>(env);
     if (ParseIAMCallback(env, argv[index++], jsCallback) != napi_ok) {
         ACCOUNT_LOGE("fail to parse callback");
@@ -266,8 +349,8 @@ static napi_status ParseContextForAuthUser(napi_env env, napi_value *argv, size_
 
 napi_value NapiAccountIAMUserAuth::Auth(napi_env env, napi_callback_info info)
 {
-    size_t argc = ARG_SIZE_FOUR;
-    napi_value argv[ARG_SIZE_FOUR] = {0};
+    size_t argc = ARG_SIZE_FIVE;
+    napi_value argv[ARG_SIZE_FIVE] = {0};
     napi_get_cb_info(env, info, &argc, argv, nullptr, nullptr);
     if (argc < ARG_SIZE_FOUR) {
         ACCOUNT_LOGE("the number of parameter is incorrect, expect 4, but got %{public}zu", argc);
@@ -279,7 +362,7 @@ napi_value NapiAccountIAMUserAuth::Auth(napi_env env, napi_callback_info info)
     if (ParseContextForAuth(env, argv, argc, context) == napi_invalid_arg) {
         return nullptr;
     }
-    uint64_t contextId = AccountIAMClient::GetInstance().Auth(context.challenge,
+    uint64_t contextId = AccountIAMClient::GetInstance().Auth(context.authOptions, context.challenge,
         static_cast<AuthType>(context.authType), static_cast<AuthTrustLevel>(context.trustLevel), context.callback);
     return CreateUint8Array(env, reinterpret_cast<uint8_t *>(&contextId), sizeof(uint64_t));
 }
@@ -293,7 +376,9 @@ napi_value NapiAccountIAMUserAuth::AuthUser(napi_env env, napi_callback_info inf
     if (ParseContextForAuthUser(env, argv, argc, context) == napi_invalid_arg) {
         return nullptr;
     }
-    uint64_t contextId = AccountIAMClient::GetInstance().AuthUser(context.userId, context.challenge,
+    context.authOptions.accountId = context.userId;
+
+    uint64_t contextId = AccountIAMClient::GetInstance().AuthUser(context.authOptions, context.challenge,
         static_cast<AuthType>(context.authType), static_cast<AuthTrustLevel>(context.trustLevel), context.callback);
     return CreateUint8Array(env, reinterpret_cast<uint8_t *>(&contextId), sizeof(uint64_t));
 }
@@ -325,5 +410,66 @@ napi_value NapiAccountIAMUserAuth::CancelAuth(napi_env env, napi_callback_info i
     AccountIAMNapiThrow(env, AccountIAMConvertToJSErrCode(result), true);
     return nullptr;
 }
+
+static napi_status ParseContextForPrepareRemoteAuth(
+    napi_env env, napi_callback_info info, PrepareRemoteAuthContext *context, napi_value *result)
+{
+    size_t argc = ARG_SIZE_ONE;
+    napi_value argv[ARG_SIZE_ONE] = {0};
+    NAPI_CALL_BASE(env, napi_get_cb_info(env, info, &argc, argv, nullptr, nullptr), napi_generic_failure);
+    if (argc < ARG_SIZE_ONE) {
+        ACCOUNT_LOGE("Parse parameters failed, expect at least one parameter, but got %zu.", argc);
+        std::string errMsg = "Parameter error. The arg number must be at least 1 characters";
+        AccountNapiThrow(env, ERR_JS_PARAMETER_ERROR, errMsg, true);
+        return napi_generic_failure;
+    }
+    if (!GetStringProperty(env, argv[0], context->remoteNetworkId)) {
+        ACCOUNT_LOGE("Get remoteNetworkId failed");
+        std::string errMsg = "Parameter error. The type of remoteNetworkId must be string";
+        AccountNapiThrow(env, ERR_JS_PARAMETER_ERROR, errMsg, true);
+        return napi_generic_failure;
+    }
+    NAPI_CALL_BASE(env, napi_create_promise(env, &context->deferred, result), napi_generic_failure);
+
+    return napi_ok;
+}
+
+napi_value NapiAccountIAMUserAuth::PrepareRemoteAuth(napi_env env, napi_callback_info info)
+{
+    napi_value result = nullptr;
+    PrepareRemoteAuthContext *context = new (std::nothrow) PrepareRemoteAuthContext(env);
+    if (context == nullptr) {
+        ACCOUNT_LOGE("Create PrepareRemoteAuthContext failed.");
+        return result;
+    }
+    std::unique_ptr<PrepareRemoteAuthContext> contextPtr(context);
+
+    if (ParseContextForPrepareRemoteAuth(env, info, context, &result) != napi_ok) {
+        return nullptr;
+    }
+
+    napi_value resourceName = nullptr;
+    NAPI_CALL(env, napi_create_string_utf8(env, "PrepareRemoteAuth", NAPI_AUTO_LENGTH, &resourceName));
+    NAPI_CALL(env, napi_create_async_work(env, nullptr, resourceName,
+        [](napi_env env, void *data) {
+            if (data == nullptr) {
+                ACCOUNT_LOGE("PrepareRemoteAuth work data is nullptr.");
+                return;
+            }
+            PrepareRemoteAuthContext *context = reinterpret_cast<PrepareRemoteAuthContext *>(data);
+            auto prepareRemoteAuthCallback = std::make_shared<NapiPrepareRemoteAuthCallback>(
+                context->env, context->callbackRef, context->deferred);
+            context->callbackRef = nullptr;
+            context->result = AccountIAMClient::GetInstance().PrepareRemoteAuth(
+                context->remoteNetworkId, prepareRemoteAuthCallback);
+        },
+        [](napi_env env, napi_status status, void *data) {
+            delete reinterpret_cast<PrepareRemoteAuthContext *>(data);
+        },
+        reinterpret_cast<void *>(context), &context->work));
+    NAPI_CALL(env, napi_queue_async_work_with_qos(env, context->work, napi_qos_user_initiated));
+    contextPtr.release();
+    return result;
+}
 }  // namespace AccountJsKit
 }  // namespace OHOS

services/accountmgr/include/account_iam/account_iam_callback.h

@@ -178,6 +178,17 @@ private:
     sptr<IGetEnrolledIdCallback> innerCallback_;
 };
 
+class PrepareRemoteAuthCallbackWrapper : public PrepareRemoteAuthCallback {
+public:
+    PrepareRemoteAuthCallbackWrapper(const sptr<IPreRemoteAuthCallback> &callback);
+    virtual ~PrepareRemoteAuthCallbackWrapper() = default;
+
+    void OnResult(int32_t result) override;
+
+private:
+    sptr<IPreRemoteAuthCallback> innerCallback_;
+};
+
 class GetDomainAuthStatusInfoCallback final : public DomainAccountCallback {
 public:
     GetDomainAuthStatusInfoCallback(const GetPropertyRequest &request, const sptr<IGetSetPropCallback> &callback);

services/accountmgr/include/account_iam/account_iam_client_callback_proxy.h

@@ -71,6 +71,18 @@ private:
 private:
     static inline BrokerDelegator<GetEnrolledIdCallbackProxy> delegator_;
 };
+
+class PreRemoteAuthCallbackProxy : public IRemoteProxy<IPreRemoteAuthCallback> {
+public:
+    explicit PreRemoteAuthCallbackProxy(const sptr<IRemoteObject> &object);
+    void OnResult(int32_t result) override;
+
+private:
+    ErrCode SendRequest(PreRemoteAuthCallbackInterfaceCode code, MessageParcel &data, MessageParcel &reply);
+
+private:
+    static inline BrokerDelegator<PreRemoteAuthCallbackProxy> delegator_;
+};
 }  // namespace AccountSA
 }  // namespace OHOS
 #endif  // OS_ACCOUNT_SERVICES_ACCOUNTMGR_INCLUDE_ACCOUNT_IAM_CLIENT_CALLBACK_PROXY_H

services/accountmgr/include/account_iam/account_iam_mgr_stub.h

@@ -46,6 +46,7 @@ public:
     ErrCode ProcDelUser(MessageParcel &data, MessageParcel &reply);
     ErrCode ProcCancel(MessageParcel &data, MessageParcel &reply);
     ErrCode ProcGetCredentialInfo(MessageParcel &data, MessageParcel &reply);
+    ErrCode ProcPrepareRemoteAuth(MessageParcel &data, MessageParcel &reply);
     ErrCode ProcAuthUser(MessageParcel &data, MessageParcel &reply);
     ErrCode ProcCancelAuth(MessageParcel &data, MessageParcel &reply);
     ErrCode ProcGetAvailableStatus(MessageParcel &data, MessageParcel &reply);
@@ -54,6 +55,8 @@ public:
     ErrCode ProcGetEnrolledId(MessageParcel &data, MessageParcel &reply);
     ErrCode ProcGetAccountState(MessageParcel &data, MessageParcel &reply);
     ErrCode ReadUserIdAndAuthType(MessageParcel &data, int32_t &userId, int32_t &authType);
+    ErrCode ReadAuthParam(MessageParcel &data, AuthParam &authParam);
+    ErrCode ReadRemoteAuthParam(MessageParcel &data, std::optional<RemoteAuthParam> &remoteAuthParam);
     ErrCode AddOrUpdateCredential(MessageParcel &data, MessageParcel &reply, bool isAdd = true);
     bool CheckPermission(const std::string &permission);
 

services/accountmgr/include/account_iam/account_iam_service.h

@@ -39,8 +39,9 @@ public:
     void DelUser(int32_t userId, const std::vector<uint8_t> &authToken, const sptr<IIDMCallback> &callback) override;
     int32_t GetCredentialInfo(
         int32_t userId, AuthType authType, const sptr<IGetCredInfoCallback> &callback) override;
-    int32_t AuthUser(
-        int32_t userId, const AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId) override;
+    int32_t PrepareRemoteAuth(
+        const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &callback) override;
+    int32_t AuthUser(AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId) override;
     int32_t CancelAuth(uint64_t contextId) override;
     int32_t GetAvailableStatus(AuthType authType, AuthTrustLevel authTrustLevel, int32_t &status) override;
     void GetProperty(

services/accountmgr/include/account_iam/inner_account_iam_manager.h

@@ -54,8 +54,9 @@ public:
     void GetCredentialInfo(
         int32_t userId, AuthType authType, const sptr<IGetCredInfoCallback> &callback);
     int32_t Cancel(int32_t userId);
-    int32_t AuthUser(
-        int32_t userId, const AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId);
+    int32_t PrepareRemoteAuth(
+        const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &callback);
+    int32_t AuthUser(AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId);
     int32_t CancelAuth(uint64_t contextId);
     int32_t GetAvailableStatus(AuthType authType, AuthTrustLevel authTrustLevel, int32_t &status);
     void GetProperty(
@@ -84,6 +85,7 @@ private:
     ErrCode GetStorageManagerProxy();
     ErrCode GetDomainAuthStatusInfo(
         int32_t userId, const GetPropertyRequest &request, const sptr<IGetSetPropCallback> &callback);
+    void CopyAuthParam(const AuthParam &authParam, UserIam::UserAuth::AuthParam &iamAuthParam);
 
 private:
     std::mutex mutex_;

services/accountmgr/src/account_iam/account_iam_callback.cpp

@@ -398,6 +398,22 @@ void GetSecUserInfoCallbackWrapper::OnSecUserInfo(const SecUserInfo &info)
     return innerCallback_->OnEnrolledId(ERR_IAM_NOT_ENROLLED, enrolledId);
 }
 
+PrepareRemoteAuthCallbackWrapper::PrepareRemoteAuthCallbackWrapper(const sptr<IPreRemoteAuthCallback> &callback)
+    : innerCallback_(callback)
+{}
+
+void PrepareRemoteAuthCallbackWrapper::OnResult(int32_t result)
+{
+    if (innerCallback_ == nullptr) {
+        ACCOUNT_LOGE("Inner callback is nullptr.");
+        return;
+    }
+    if (result != 0) {
+        ACCOUNT_LOGE("PrepareRemoteAuth, result=%{public}d fail to prepare remote auth.", result);
+    }
+    innerCallback_->OnResult(result);
+}
+
 GetDomainAuthStatusInfoCallback::GetDomainAuthStatusInfoCallback(
     const GetPropertyRequest &request, const sptr<IGetSetPropCallback> &callback)
     : request_(request), innerCallback_(callback)

services/accountmgr/src/account_iam/account_iam_client_callback_proxy.cpp

@@ -163,5 +163,25 @@ void GetEnrolledIdCallbackProxy::OnEnrolledId(int32_t result, uint64_t enrolledI
     uint32_t code = static_cast<uint32_t>(GetEnrolledIdCallbackInterfaceCode::ON_ENROLLED_ID);
     SendRequestFunc(Remote(), code, data, reply);
 }
+
+PreRemoteAuthCallbackProxy::PreRemoteAuthCallbackProxy(const sptr<IRemoteObject> &object)
+    : IRemoteProxy<IPreRemoteAuthCallback>(object)
+{}
+
+void PreRemoteAuthCallbackProxy::OnResult(int32_t result)
+{
+    uint32_t code = static_cast<uint32_t>(PreRemoteAuthCallbackInterfaceCode::ON_RESULT);
+    MessageParcel data;
+    MessageParcel reply;
+    if (!data.WriteInterfaceToken(GetDescriptor())) {
+        ACCOUNT_LOGE("Write descriptor failed.");
+        return;
+    }
+    if (!data.WriteInt32(result)) {
+        ACCOUNT_LOGE("Write result failed.");
+        return;
+    }
+    SendRequestFunc(Remote(), code, data, reply);
+}
 }  // namespace AccountSA
 }  // namespace OHOS

services/accountmgr/src/account_iam/account_iam_mgr_stub.cpp

@@ -88,6 +88,13 @@ const std::map<uint32_t, AccountIAMMgrStub::AccountIAMMessageProc> messageProcMa
             .isSyetemApi = true,
         }
     },
+    {
+        static_cast<uint32_t>(AccountIAMInterfaceCode::PREPARE_REMOTE_AUTH),
+        {
+            .messageProcFunction = &AccountIAMMgrStub::ProcPrepareRemoteAuth,
+            .isSyetemApi = true,
+        }
+    },
     {
         static_cast<uint32_t>(AccountIAMInterfaceCode::AUTH_USER),
         {
@@ -370,17 +377,37 @@ ErrCode AccountIAMMgrStub::ProcGetCredentialInfo(MessageParcel &data, MessagePar
     return ERR_NONE;
 }
 
-ErrCode AccountIAMMgrStub::ProcAuthUser(MessageParcel &data, MessageParcel &reply)
+ErrCode AccountIAMMgrStub::ProcPrepareRemoteAuth(MessageParcel &data, MessageParcel &reply)
 {
     if (!CheckPermission(ACCESS_USER_AUTH_INTERNAL)) {
         return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
     }
-    int32_t userId;
-    if (!data.ReadInt32(userId)) {
+    std::string remoteNetworkId;
+    if (!data.ReadString(remoteNetworkId)) {
+        ACCOUNT_LOGE("Read remoteNetworkId failed.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+
+    sptr<IPreRemoteAuthCallback> callback = iface_cast<IPreRemoteAuthCallback>(data.ReadRemoteObject());
+    if (callback == nullptr) {
+        ACCOUNT_LOGE("PreRemoteAuthCallback is nullptr.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    int result = PrepareRemoteAuth(remoteNetworkId, callback);
+    if (!reply.WriteInt32(result)) {
+        ACCOUNT_LOGE("Write result failed.");
+        return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;
+    }
+
+    return ERR_NONE;
+}
+
+ErrCode AccountIAMMgrStub::ReadAuthParam(MessageParcel &data, AuthParam &authParam)
+{
+    if (!data.ReadInt32(authParam.userId)) {
         ACCOUNT_LOGE("failed to read userId");
         return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
     }
-    AuthParam authParam;
     if (!data.ReadUInt8Vector(&authParam.challenge)) {
         ACCOUNT_LOGE("failed to read challenge");
         return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
@@ -397,13 +424,87 @@ ErrCode AccountIAMMgrStub::ProcAuthUser(MessageParcel &data, MessageParcel &repl
         return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
     }
     authParam.authTrustLevel = static_cast<AuthTrustLevel>(authTrustLevel);
+    int32_t authIntent = 0;
+    if (!data.ReadInt32(authIntent)) {
+        ACCOUNT_LOGE("failed to read authIntent for AuthUser");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    authParam.authIntent = static_cast<AuthIntent>(authIntent);
+    return ERR_OK;
+}
+
+ErrCode AccountIAMMgrStub::ReadRemoteAuthParam(MessageParcel &data,
+    std::optional<RemoteAuthParam> &remoteAuthParam)
+{
+    bool res = false;
+    if (!data.ReadBool(res)) {
+        ACCOUNT_LOGE("Read RemoteAuthParam exist failed.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    if (!res) {
+        return ERR_OK;
+    }
+    remoteAuthParam = RemoteAuthParam();
+    if (!data.ReadBool(res)) {
+        ACCOUNT_LOGE("Read verifierNetworkId exist failed.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    if (res) {
+        std::string networkId;
+        if (!data.ReadString(networkId)) {
+            ACCOUNT_LOGE("Read verifierNetworkId failed.");
+            return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+        }
+        remoteAuthParam.value().verifierNetworkId = networkId;
+    }
+    if (!data.ReadBool(res)) {
+        ACCOUNT_LOGE("Read collectorNetworkId exist failed.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    if (res) {
+        std::string networkId;
+        if (!data.ReadString(networkId)) {
+            ACCOUNT_LOGE("Read collectorNetworkId failed.");
+            return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+        }
+        remoteAuthParam.value().collectorNetworkId = networkId;
+    }
+    if (!data.ReadBool(res)) {
+        ACCOUNT_LOGE("Read collectorTokenId exist failed.");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
+    if (res) {
+        uint32_t tokenId;
+        if (!data.ReadUint32(tokenId)) {
+            ACCOUNT_LOGE("Read collectorTokenId failed.");
+            return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+        }
+        remoteAuthParam.value().collectorTokenId = tokenId;
+    }
+    return ERR_OK;
+}
+
+ErrCode AccountIAMMgrStub::ProcAuthUser(MessageParcel &data, MessageParcel &reply)
+{
+    if (!CheckPermission(ACCESS_USER_AUTH_INTERNAL)) {
+        return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
+    }
+    AuthParam authParam;
+    if (ReadAuthParam(data, authParam) != ERR_OK) {
+        ACCOUNT_LOGE("failed to read authParam");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
     sptr<IIDMCallback> callback = iface_cast<IIDMCallback>(data.ReadRemoteObject());
     if (callback == nullptr) {
         ACCOUNT_LOGE("UserAuthCallbackInterface is nullptr");
         return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
     }
+    if (ReadRemoteAuthParam(data, authParam.remoteAuthParam) != ERR_OK) {
+        ACCOUNT_LOGE("failed to read RemoteAuthParam");
+        return ERR_ACCOUNT_COMMON_READ_PARCEL_ERROR;
+    }
     uint64_t contextId = 0;
-    ErrCode result = AuthUser(userId, authParam, callback, contextId);
+    ErrCode result = AuthUser(authParam, callback, contextId);
     if (!reply.WriteInt32(result)) {
         ACCOUNT_LOGE("failed to write result");
         return ERR_ACCOUNT_COMMON_WRITE_PARCEL_ERROR;

services/accountmgr/src/account_iam/account_iam_service.cpp

@@ -109,13 +109,19 @@ int32_t AccountIAMService::GetCredentialInfo(
     return ERR_OK;
 }
 
-int32_t AccountIAMService::AuthUser(
-    int32_t userId, const AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId)
+int32_t AccountIAMService::PrepareRemoteAuth(
+    const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &callback)
 {
-    if ((userId == 0) && (!GetCurrentUserId(userId))) {
+    return InnerAccountIAMManager::GetInstance().PrepareRemoteAuth(remoteNetworkId, callback);
+}
+
+int32_t AccountIAMService::AuthUser(
+    AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId)
+{
+    if ((authParam.userId == 0) && (!GetCurrentUserId(authParam.userId))) {
         return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
     }
-    return InnerAccountIAMManager::GetInstance().AuthUser(userId, authParam, callback, contextId);
+    return InnerAccountIAMManager::GetInstance().AuthUser(authParam, callback, contextId);
 }
 
 int32_t AccountIAMService::CancelAuth(uint64_t contextId)

services/accountmgr/src/account_iam/inner_account_iam_manager.cpp

@@ -195,14 +195,50 @@ int32_t InnerAccountIAMManager::Cancel(int32_t userId)
     return UserIDMClient::GetInstance().Cancel(userId);
 }
 
-int32_t InnerAccountIAMManager::AuthUser(
-    int32_t userId, const AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId)
+int32_t InnerAccountIAMManager::PrepareRemoteAuth(
+    const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &callback)
 {
     if (callback == nullptr) {
         ACCOUNT_LOGE("callback is nullptr");
         return ERR_ACCOUNT_COMMON_NULL_PTR_ERROR;
     }
-    if ((authParam.authType != AuthType::PIN) && (!IsNonPINAllowed(userId))) {
+    ACCOUNT_LOGI("Start IAM PrepareRemoteAuth.");
+    auto prepareCallback = std::make_shared<PrepareRemoteAuthCallbackWrapper>(callback);
+    return UserAuthClient::GetInstance().PrepareRemoteAuth(remoteNetworkId, prepareCallback);
+}
+
+void InnerAccountIAMManager::CopyAuthParam(const AuthParam &authParam, UserIam::UserAuth::AuthParam &iamAuthParam)
+{
+    iamAuthParam.userId = authParam.userId;
+    iamAuthParam.challenge = authParam.challenge;
+    iamAuthParam.authType = authParam.authType;
+    iamAuthParam.authTrustLevel = authParam.authTrustLevel;
+    iamAuthParam.authIntent = static_cast<UserIam::UserAuth::AuthIntent>(authParam.authIntent);
+    if (authParam.remoteAuthParam != std::nullopt) {
+        iamAuthParam.remoteAuthParam = UserIam::UserAuth::RemoteAuthParam();
+        if (authParam.remoteAuthParam.value().verifierNetworkId != std::nullopt) {
+            iamAuthParam.remoteAuthParam.value().verifierNetworkId =
+                authParam.remoteAuthParam.value().verifierNetworkId.value();
+        }
+        if (authParam.remoteAuthParam.value().collectorNetworkId != std::nullopt) {
+            iamAuthParam.remoteAuthParam.value().collectorNetworkId =
+                authParam.remoteAuthParam.value().collectorNetworkId.value();
+        }
+        if (authParam.remoteAuthParam.value().collectorTokenId != std::nullopt) {
+            iamAuthParam.remoteAuthParam.value().collectorTokenId =
+                authParam.remoteAuthParam.value().collectorTokenId.value();
+        }
+    }
+}
+
+int32_t InnerAccountIAMManager::AuthUser(
+    AuthParam &authParam, const sptr<IIDMCallback> &callback, uint64_t &contextId)
+{
+    if (callback == nullptr) {
+        ACCOUNT_LOGE("callback is nullptr");
+        return ERR_ACCOUNT_COMMON_NULL_PTR_ERROR;
+    }
+    if ((authParam.authType != AuthType::PIN) && (!IsNonPINAllowed(authParam.userId))) {
         ACCOUNT_LOGE("unsupported auth type: %{public}d", authParam.authType);
         return ERR_ACCOUNT_IAM_UNSUPPORTED_AUTH_TYPE;
     }
@@ -211,10 +247,13 @@ int32_t InnerAccountIAMManager::AuthUser(
         ACCOUNT_LOGE("failed to add death recipient for auth callback");
         return ERR_ACCOUNT_COMMON_ADD_DEATH_RECIPIENT;
     }
-    auto callbackWrapper = std::make_shared<AuthCallback>(userId, authParam.authType, callback);
+    auto callbackWrapper = std::make_shared<AuthCallback>(authParam.userId, authParam.authType, callback);
     callbackWrapper->SetDeathRecipient(deathRecipient);
-    contextId = UserAuthClient::GetInstance().BeginAuthentication(
-        userId, authParam.challenge, authParam.authType, authParam.authTrustLevel, callbackWrapper);
+
+    UserIam::UserAuth::AuthParam iamAuthParam;
+    CopyAuthParam(authParam, iamAuthParam);
+    ACCOUNT_LOGI("Start IAM AuthUser.");
+    contextId = UserAuthClient::GetInstance().BeginAuthentication(iamAuthParam, callbackWrapper);
     deathRecipient->SetContextId(contextId);
     return ERR_OK;
 }

services/accountmgr/test/moduletest/os_account/os_account_manager_service_subscribe_module_test.cpp

@@ -155,7 +155,8 @@ private:
 class TestIInputer : public OHOS::AccountSA::IInputer {
 public:
     explicit TestIInputer() {}
-    void OnGetData(int32_t authSubType, const std::shared_ptr<IInputerData> inputerData) override
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        const std::shared_ptr<IInputerData> inputerData) override
     {
         // inputer class is IAMInputerData
         std::vector<uint8_t> data = { 1, 2, 3, 4, 5, 6 };

services/accountmgr/test/unittest/account_iam/account_iam_callback_test.cpp

@@ -54,7 +54,8 @@ const static AccessTokenID g_accountMgrTokenID = AccessTokenKit::GetNativeTokenI
 class MockIInputer final : public IInputer {
 public:
     virtual ~MockIInputer() {}
-    void OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData) override
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        std::shared_ptr<IInputerData> inputerData) override
     {
         return;
     }

services/accountmgr/test/unittest/account_iam/account_iam_manager_test.cpp

@@ -639,16 +639,17 @@ HWTEST_F(AccountIamManagerTest, AuthUser001, TestSize.Level0)
     sptr<TestIIDMCallback> testCallback = new(std::nothrow) TestIIDMCallback(callback);
     EXPECT_NE(testCallback, nullptr);
     EXPECT_CALL(*callback, OnResult(_, _)).Times(0);
-    AuthParam authParam = {
+    AccountSA::AuthParam authParam = {
+        .userId = TEST_USER_ID,
         .challenge = TEST_CHALLENGE,
         .authType = AuthType::PIN,
         .authTrustLevel = AuthTrustLevel::ATL1
     };
     uint64_t contextId = 0;
-    ErrCode errCode = InnerAccountIAMManager::GetInstance().AuthUser(TEST_USER_ID, authParam, nullptr, contextId);
+    ErrCode errCode = InnerAccountIAMManager::GetInstance().AuthUser(authParam, nullptr, contextId);
     EXPECT_EQ(ERR_ACCOUNT_COMMON_NULL_PTR_ERROR, errCode);
 
-    errCode = InnerAccountIAMManager::GetInstance().AuthUser(TEST_USER_ID, authParam, testCallback, contextId);
+    errCode = InnerAccountIAMManager::GetInstance().AuthUser(authParam, testCallback, contextId);
     EXPECT_EQ(ERR_ACCOUNT_COMMON_ADD_DEATH_RECIPIENT, errCode);
     InnerAccountIAMManager::GetInstance().CancelAuth(contextId);
 }
@@ -683,13 +684,14 @@ HWTEST_F(AccountIamManagerTest, GetChallenge001, TestSize.Level2)
     sptr<TestIIDMCallback> testCallback = new(std::nothrow) TestIIDMCallback(callback);
     EXPECT_NE(testCallback, nullptr);
     EXPECT_CALL(*callback, OnResult(_, _)).Times(0);
-    AuthParam authParam = {
+    AccountSA::AuthParam authParam = {
+        .userId = TEST_USER_ID,
         .challenge = TEST_CHALLENGE,
         .authType = AuthType::PIN,
         .authTrustLevel = AuthTrustLevel::ATL1
     };
     uint64_t contextId = 0;
-    ErrCode errCode = InnerAccountIAMManager::GetInstance().AuthUser(TEST_USER_ID, authParam, testCallback, contextId);
+    ErrCode errCode = InnerAccountIAMManager::GetInstance().AuthUser(authParam, testCallback, contextId);
     EXPECT_EQ(errCode, ERR_ACCOUNT_COMMON_ADD_DEATH_RECIPIENT);
 
     std::vector<uint8_t> outChallenge;

services/accountmgr/test/unittest/account_iam/account_iam_service_test.cpp

@@ -225,13 +225,14 @@ HWTEST_F(AccountIamServiceTest, AccountIAMService_AuthUser_0100, TestSize.Level0
     std::vector<uint8_t> challenge;
     sptr<MockIIDMCallback> callback = new (std::nothrow) MockIIDMCallback();
     ASSERT_NE(callback, nullptr);
-    AuthParam authParam = {
+    AccountSA::AuthParam authParam = {
+        .userId = 0,
         .challenge = challenge,
         .authType = AuthType::PIN,
         .authTrustLevel = AuthTrustLevel::ATL1
     };
     uint64_t contextId = 0;
-    ErrCode res = accountIAMService_->AuthUser(0, authParam, callback, contextId);
+    ErrCode res = accountIAMService_->AuthUser(authParam, callback, contextId);
     EXPECT_EQ(res, ERR_ACCOUNT_COMMON_INVALID_PARAMETER);
 }
 

test/fuzztest/iamaccount/auth_fuzzer/auth_fuzzer.cpp

@@ -43,7 +43,9 @@ namespace OHOS {
         AuthType authType = static_cast<AuthType>(size);
         AuthTrustLevel authTrustLevel = static_cast<AuthTrustLevel>(size);
         std::shared_ptr<IDMCallback> callback = make_shared<MockIDMCallback>();
-        uint64_t result = AccountIAMClient::GetInstance().Auth(challenge, authType, authTrustLevel, callback);
+        AuthOptions authOptions;
+        uint64_t result = AccountIAMClient::GetInstance().Auth(authOptions,
+            challenge, authType, authTrustLevel, callback);
         return result == ERR_OK;
     }
 }

test/fuzztest/iamaccount/authuser_fuzzer/authuser_fuzzer.cpp

@@ -44,8 +44,10 @@ namespace OHOS {
         AuthType authType = static_cast<AuthType>(size);
         AuthTrustLevel authTrustLevel = static_cast<AuthTrustLevel>(size);
         std::shared_ptr<IDMCallback> callback = make_shared<MockIDMCallback>();
+        AuthOptions authOptions;
+        authOptions.accountId = userId;
         uint64_t result = AccountIAMClient::GetInstance().AuthUser(
-            userId, challenge, authType, authTrustLevel, callback);
+            authOptions, challenge, authType, authTrustLevel, callback);
         return result == ERR_OK;
     }
 }

test/fuzztest/iamaccount/registerinputer_fuzzer/registerinputer_fuzzer.cpp

@@ -26,7 +26,8 @@ using namespace OHOS::AccountSA;
 class MockIInputer : public OHOS::AccountSA::IInputer {
 public:
     virtual ~MockIInputer() {}
-    void OnGetData(int32_t authSubType, std::shared_ptr<IInputerData> inputerData) override
+    void OnGetData(int32_t authSubType, std::vector<uint8_t> challenge,
+        std::shared_ptr<IInputerData> inputerData) override
     {
         return;
     }